System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Microsoft has released Hotfix Rollup 2 for Forefront Protection for Exchange. This article contains information about how to obtain the hotfix rollup as well as descriptions of new features and issues that are fixed.
A new safety mechanism is being introduced in Rollup 2 for Forefront Protection for Exchange which will restart a Transport scan process if that process encounters more than 5 exceptions.
In the case that the exception type is specific to a process instance, this safety mechanism will automatically rectify the situation and allow normal operations to continue.
More Information
Once you have upgraded to Forefront Protection for Exchange with Service Pack 2, you can use the Set-ExtendedOption Forefront Management Shell cmdlet to change the ExceptionCount. For example, to set the default Exception Count to 2, run this command in the Forefront Management Shell:
Set-ExtendedOption ExceptionCount -value 2
Note that the ExceptionCount extended option applies to the Transport scanjob only.
Forefront Protection for Exchange will now post an alert, if any items are present in the Undeliverable archive folder
Summary
A new Health Point has been introduced to monitor any undeliverable mail that is copied to the %Program Files (x86)%\ Microsoft Forefront Protection for Exchange Server\Data\Archive\Undeliverable folder.
When any messages are present in the Undeliverable folder, or its subfolders, the following reporting mechanisms are activated:
· An “Undeliverable items archived” Health Point error will be logged to the Scanjob Health Monitor, on the Dashboard of the Forefront Protection for Exchange Administrator UI. · An 8056 event ID will be written to the application event log, warning that “X messages have been archived and purged due to an error while scanning, where X represents the number of messages that have been archived. Please ensure that mail is not queuing.
More Information
The Undeliverable folder is used to archive mail that cannot be processed properly by Forefront Protection for Exchange’s Transport scanjob. Any mail in this folder or subfolders encountered a serious scanning issue and could not be delivered to the intended recipient(s). The mail is archived so that the administrator at least has a copy of the original
Forefront Protection for Exchange now collects URL count data
Summary
Forefront Protection for Exchange now collects the following data for analysis by Microsoft:
· Total number of mails per hour
()
· Total number of URLs per hour
· Number of mails with one or more URLs per hour
· The local server's time zone
More Information
For more details about the data collected, please see the “Customer Experience Improvement Program” section in the Microsoft Forefront Protection for Exchange Privacy Statement: Privacy Statement
(http://download.microsoft.com/download/4/A/D/4AD09FEE-A550-4D55-B902-B521B99DB672/Microsoft%20Forefront%20Server%20Protection%202010%20Privacy%20Statement%20en-US.htm)
Forefront Protection for Exchange Hotfix Rollup 2 allows for the FSEAgent Log size to be increased
Summary
The FSEAgent logs keep a record of the results of each scan Forefront takes on each message it scans on the Transport specific to anti-spam and filtering results. Previous to FPE Hotfix Rollup 2, the FSE Agent Log had a max size of 350 megabytes. This threshold can now be increased.
More Information
In order to increase the size of the FPE Agent Log, please follow these directions:
1.) Open the FPE Powershell 2.) Create a new extended option: New-FseExtendedOption -Name AgentLogDirMaxSize -Value 500 3.) Restart the Exchange Transport service
Please note, the above directions use 500 (megabytes) as an example. The number here represents megabytes and has no limit. You can define any size limit you want.
The FSEAgent Logs are found in the following directory: %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\FSEAgentLog folder
The FSCDiag in Forefront Protection for Exchange Hotfix Rollup 2 now collects dump files on Windows Server 2008
Summary
The FSCDiag is used to collect diagnostic information for Forefront Protection for Exchange. By applying hotfix rollup 2, it will now collect any existing dump files as well on Windows Server 2008
You can now customize deletion text when Forefront Protection for Exchange tags mail as “EncryptedCompressedFIle” or “CorruptedCompressedFIle”
Summary
Forefront’s deletion text for “EncryptedCompressedFile” or “CorruptedCompressedFile” was hardcoded.
Forefront Protection for Exchange Rollup 2 will now use the deletion text as defined by the administrator under the following panes of the administrative console:
Details of the issues that are addressed in the hotfix rollup
Out of memory state occurs when running an on-demand scan in Forefront Protection for Exchange
Issue
While running an on-demand scan, the CPU utilization increases to 100%, consuming so much memory that no physical memory is available for other processes.
Symptoms
The on-demand scan cannot complete. The CPU utilization spikes to 100%. Other processes cannot run. The following error will be logged in the System Log:
Keywords: Events related to exhaustion of system commit limit (virtual memory).
User: SYSTEM
Computer: [computer name]
Description:Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: store.exe (2460) consumed xxxxxxxxx bytes, FSEOnDemandNav.exe (1360) consumed xxxxxxxxx bytes, and w3wp.exe (6808) consumed xxxxxxxxx bytes.
Cause
This is a result of FPE using an invalid pointer when attempting to bind with Exchange to identify mailboxes to scan.
The link provided by FPE to request removal from the SpamHaus block list wrong
Issue
When the "ForeFront DNSBL" functionality in FPE is enabled, messages may be treated as spam by the SpamHaus block list. When this happens, a link is provided in the NDR with the following message:
· To request removal from this list please visit http://www.spamhaus.org/query/bl?ip=$
The link in the above message is broken.
Symptoms
The URL generates a “The requested URL could not be retrieved” message.
Cause
The dollar sign within the URL should be an IP address.
Forefront Protection for Exchange does not display data in multiple console fields and mail cannot be sent externally
Issue
Forefront Protection for Exchange does not display data in multiple console fields and mail cannot be sent externally.
Symptoms
When FPE is installed on Exchange 2007 several administrative console fields show blank information. These fields may include:
· MALWARE DETAILS
· FILTERING DETAILS
· POLICY MANAGEMENT – FILTER OPTIONS
· POLICY MANAGEMENT - ANTIMALWARE SUBHEADINGS
· POLICY MANAGEMENT – SCAN OPTIONS
Mail sent to external users may be undeliverable.
Options for the Cloudmark anti-spam engine may be present on mailbox servers. These options should only be present on hub-transport servers.
Cause
Although the server is running Exchange 2007, the existence of the following registry key makes FPE believe that Exchange 2010 is installed on the server: HKLM\SOFTWARE\Microsoft\ExchangeServer\v14
When starting a Windows Server 2008 R2 server running Exchange and Forefront Protection for Exchange, startup times are exceptionally long
Issue
Changes in Windows Server 2008 R2 can cause delays when starting an Exchange server running Forefront Protection for Exchange. This is expected behavior and is not due to an error condition.
Symptoms
Exceptionally long server start up times.
Cause
Additional functions have been added to Windows Server 2008 R2 to coordinate service startup requests.
Forefront Protection for Exchange falsely detects legitimate attachments as Corrupted Compressed files
Issue
Legitimate compressed files are detected asCorrupted Compressed by Forefront Protection for Exchange. These file types include RAR, ZIP, JPEG and COD files.
Symptoms
Forefront scans and detects these files as Corrupted Compressed. FPE then takes action on these messages as defined by the administrator in the FPE console in relation to Corrupted Compressed files.
Cause
Failure in the Forefront Protection for Exchange decompression logic wrongly characterizes files as compressed.
File filtering does not occur in Forefront Protection for ExchangeForefront Protection for Exchange
Issue
Forefront may be unable to identify a file name within TNEF or a WINMAIL.DAT if it is longer than expected. Forefront then categorizes the file type as unknown and is unable to perform any file filtering based on file name or file type.
Symptoms
File filtering does not occur, however virus scanning does occur.
A Forefront Protection for Exchange antivirus engine fails to load and mail is deleted
Issue
If an engine fails to load for any reason, and Forefront directs mail to that engine to be scanned, the mail will be deleted. If you are using one engine, and that engine fails to load, all mail will start to be deleted.
Symptoms
Mail is deleted and unrecoverable.
Forefront Protection for Exchange quarantines a blank message when taking action on a subject line filter
Issue
When Forefront Protection for Exchange filters mail bases on a subject line filter during a RealTime scan, the message is sent to the quarantine containing a blank subject line and a blank message body.
Symptoms
These items in the quarantine will not have subject lines or data within the body of the message. The message essentially is completely lost and replaced by a blank email.
When installing FPE on Data Availability Group cluster (DAG), Domain Administrator privileges are required
Issue
When installing FPE on Data Availability Group cluster (DAG), Domain Administrator privileges are required. These privileges can be viewed as excessive. With Forefront Protection for Exchange Hotfix Rollup 2, you can now install with Exchange Administrator privileges.
Messages cannot be scanned because FSCController service in Forefront Protection for Exchange is stuck in a continuous loop
Issue
This issue occurs when FSCController is both trying to scan a new message and is trying to save a configuration change at the exact same time.
Symptoms
You may notice errors in the application log, stating that “The installed virus scanner is currently unavailable” or you may see other timeout errors. Mail cannot be scanned until the FSCController service is restarted.
Cause
FSCController is caught in a loop while trying to shut down
"The Expiration Date is not valid" is returned when you try to enter a new expiration date in Forefront Protection for Exchange
Issue
It is the last day of the month and you try to enter a new expiration date in Forefront Protection for Exchange. The new expiration date is not accepted and "The Expiration Date is not valid" is returned. Note that the actual expiration date is irrelevant; it will always fail when you attempt to enter any date on the last day of any month.
Work-around
Enter a new expiration date on any day other than the last day of the month
The Forefront Protection for Exchange Administrator console hangs for several minutes when you navigate to the Filter Lists section
Issue
When you navigate to the Filter Lists section of the Forefront Protection for Exchange Administrator console (located under Policy Management\Filter\Filter Lists), the console hangs for several minutes and CPU utilization rises. Microsoft.Forefront.Securitysuite.ui.console.exe is known to consume close to 100% of CPU resources during this time.
Symptoms
Microsoft.Forefront.Securitysuite.ui.console.exe may consume close to 100% of CPU resources during this time.
Exceptionally long server start up times.
Cause
This can occur if you are using a large number of filter list entries, as Forefront Protection for Exchange tries to load them all.
Cannot uninstall Forefront Protection for Exchange on a non-clustered server Issue
You attempt to uninstall Forefront Protection for Exchange on a non-clustered server, but it fails. You note that the server has the Cluster Service installed, even though it is in a disabled state.
Symptoms
When you try to uninstall Forefront Protection for Exchange the following message is displayed:
"System updates required.
Installation on clusters requires that the cluster service is running. Start the cluster service unless this server is no longer part of a cluster. In that case uninstall the cluster service"
Cause
Forefront Protection for Exchange uses the presence of the Cluster Service to determine whether the machine is part of a clustered server. If the Cluster Service is installed, Forefront Protection for Exchange treats it as a clustered server and requires the service to be enabled and started.
Transport Scan process is not safely aborted after an out-of-memory condition occurs
Issue
If a Transport scan process (FSCTransportScanner.exe) is unable to scan a message due to an out-of-memory condition, Forefront Protection for Exchange should terminate the corresponding process and create a new one in its place. In the case that it is unable to do this, further messages will continue to reach the process, creating more out-of-memory errors.
Symptoms
You may see events that reference the following messages in the Application Log:
1.) Scan job encountered an out of memory error. Returning E_OUTOFMEMORY.
2.) An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program."
3.) Transport scan engine exception occurred. The scanner will be aborted.
4.) An exception has occurred within ForefrontAgent's AbortScanner method. Exception message = "Thread failed to start."
5.) <Engine_Name>: Memory allocation failure
6.) <Engine_Name>: operation failed with return code 2147747079 Scan engine failure within Internet scan job (file "<Message_Name>", message "<Undisclosed>", folder "<Message_Direction>", engine <Engine_Name> 00010016)
Cause
Forefront Protection for Exchange is unable to terminate the scan process and is designed to continue receiving messages for scanning, although each scan will fail until the process is successfully terminated and a new is created in its place.
The FSCTransportScanner.exe process in Forefront Protection for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1211603866
Issue
The FSCTransportScanner.exe process in Forefront Protection for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1211603866.
Symptoms
Dr. Watson reports Bucket ID [1211603866] when this issue occurs. Additionally, the following information may be reported by Dr. Watson:
This crash occurs when RARNavigator.dll does not correctly handle invalid metadata.
Filter Lists display an incorrect scan action in the Forefront Protection for Exchange Administrator console
Issue
You create a Filter List, setting a certain action to be taken when filter criteria are met. You decide to change the action. You then refresh the Forefront Protection for Exchange Administrator console and note that the action for the Filter List has now changed.
Symptoms
The relationship between the original action, the new action and the action ultimately visible in the Forefront Protection for Exchange Administrator console is explained in the following table:
Collapse this tableExpand this table
Original action
New action
Action visible in the FPE Administrator console
Identify
Skip: detect only
Identify
Skip: detect only
Identify
<None present; blank>
Cause
Additional functions have been added to Windows Server 2008 R2 to coordinate service startup requests.
FSCController.exe is reloaded many times whenever the Start-SignatureUpdate cmdlet is run on a cluster running Forefront Protection for Exchange
Issue
Running the Start-SignatureUpdate cmdlet on a cluster causes the Microsoft Cluster Resource Utility DLL (resutils.dll) to become reloaded several times. This is not the most efficient way to register changes and can lead to performance issues.
Symptoms
You may notice that the Start-SignatureUpdate cmdlet takes a long time to execute.
Cause
Inefficient reloading of resutils.dll.
Submission queues in Exchange 2007 or 2010 fill when making a configuration change in the Forefront through the administrator or through Power Shell
Issue
Forefront and Exchange compete for CPU cycles when the Exchange server is under high stress. This typically coincides with peaks in mail flow.
Symptoms
Mail queues increase in the Exchange submission queues
Cause
Inefficient accessing of Forefront’s configuration.xml and inefficient processing of subsequent data retrieved.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
How to install the hotfix rollup
To install the hotfix rollup on any server that is not part of a SCC cluster, follow these steps:
Run the installer. To do this, double-click the hotfix rollup executable file.
Note When the installer is running, the Forefront services are stopped.
After the installation is complete, and the Forefront services are restarted, make sure that Forefront is working correctly.
Notes
The Forefront services are restarted automatically during the installation.
To install the hotfix rollup on a SCC cluster, choose one of the following methods:
Method 1 To install this particular hotfix on a SCC cluster, you should perform upgrades on all active nodes first. Setup will prompt you to allow it to take resources offline and bring them back online automatically. Check that all resources are online, and that all Forefront and Exchange services have been started afterwards. You should manually bring resources online / start services, if necessary. Once you have upgraded the active nodes, do not failover. Finally, upgrade each passive node in turn.
Installing on all active nodes first means that Forefront will be able to access the DatabasePath location, where it needs to copy a file to (LocalEngineMapping.cab).
Method 2 If you prefer not to upgrade on active nodes, you may perform a “rolling upgrade” where you install on each node only when it is in a passive state. This involves performing a series of failovers, so that each node has a chance to become passive. Once all nodes have been upgraded, you must copy LocalEngineMapping.cab from each active node’s local installation to the shared disk folder for the CMS. Forefront needs this file in the following shared disk location, in order to be able to upgrade the Kaspersky engine to version 8.
Copy LocalEngineMapping.cab from each active node’s local installation (source) to its shared disk folder (target): Source location: <LocalDisk>\Program Files (x86)\Microsoft Forefront Protection for Exchange Server Target location: <SharedDisk>\ForefrontCluster\Engines\metadata
Notes: 1. There is no need to restart any services or failover the cluster after you have copied LocalEngineMapping.cab to the shared disk folder. 2. If you do not copy LocalEngineMapping.cab to the shared disk folder, Forefront will continue to try to update version 5 of the Kaspersky engine (which will be retired by Microsoft after 31st January 2011).
Prerequisites
This hotfix rollup requires that Forefront Protection for Exchange is installed.
File information
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Live
Facebook
Twitter
Linkedin
Digg it
Yahoo
Delicious
StumbleUpon
Yammer
Reddit
Technorati
FriendFeed
Email
Back to the top
